What do Jeremy Howells and several BIPS customers have in common? They each lost a lot of bitcoins because of the way they were stored. But BitGo, a company offering a new multi-signature wallet service, says that it doesn’t have to be that way.
Howells lost £4m in bitcoins after he threw out his hard drive, while payment processor and online wallet service BIPS saw over $1m stolen in a wallet hack. They both suffered from the same problem: a single point of failure.
BitGo’s founder Mike Belshe says that relying on a single device to store your bitcoins is a bad idea. Web wallets are outside the user’s control, while their own devices are prone to attack, hardware failure, or simple user error. “You wouldn’t want to use pure web, but you wouldn’t want to use pure client-side either – at least not for most mortals,” he said. “Client-side software is a bear.”
Two out of three
Instead, his wallet service, called BitGo Safe, uses a little-acknowledged feature within the bitcoin protocol that makes it possible to better protect money in a bitcoin address. Called Pay to Script Hash (P2SH), it is a specification outlined in an update to the bitcoin protocol called BIPS 16. It enables multisignature transactions, and the benefit of those is that they enable bitcoin transactions that must be authorized by more than one public key.
Conventional bitcoin transactions are non-reversible, meaning that once a bitcoin transaction has happened, it is impossible to retrieve the funds. If Bob wants to send Alice some bitcoins in exchange for a product, then one of them has to make the first move, and trust that the other will follow through. Bob may send his bitcoins, only for Alice to keep the product. Conversely, Alice may send the product and Bob may never pay her.
But if Jen, our third party, acts as an arbiter, then she can hold the funds in escrow until both Bob and Alice confirm that they received their goods. All the parties can do this manually, but that would enable Jen to run off with the bitcoins, or for her bitcoin wallet to be compromised, leaving her responsible for Alice and Bob’s outstanding transaction. This is what happened with black market web sites such as Sheep Market, whose customers saw thousands of bitcoins stolen.
Instead, multi-signature transactions are encoded in the protocol to make it more efficient, and secure. In BIPS 16, any number of signatures can be required to complete a transaction, but generally, people describe them as ‘two out of three’ transactions, requiring two of three digital signatures to execute.
A multi-signature scenario
In a multi-signature scenario, Bob would send his bitcoins to a bitcoin address that he controls jointly with Alice and Jen. If Alice and Bob both agree that the goods have arrived and the transaction is complete, then Alice can confirm Bob’s transaction, unlocking the money, and Jen’s involvement isn’t needed. But if either party disputes the transaction, they’ll end up trying to perform the opposite of each other: Bob will try to return the bitcoins to his own address, while, Alice will try to extract the bitcoins to her address. They can then call Jen in to investigate. She’ll make a decision, and then use her signature either to back Bob’s or Alice’s transaction. The neat thing about this is that Jen can’t send the coins to her own address, and no one else can steal the coins without stealing two of the three signatures involved.
In addition to stopping online scams, it’s also useful for stopping theft. Belshe, a software engineer who has worked at Netscape and Google, has developed a wallet that uses multi-signature support not for escrow purposes, but for wallet security.
His wallet uses three keys. One is stored on Bit2Go’s server. Another is the user’s “hot” key, used in transactions, while the third is a backup key that can be held in any form by the user, say on a USB stick or a paper wallet. Money can be sent to the wallet’s address as usual, but when the user wants to withdraw it, the “hot” key must be combined with another key in a two out of three transaction.
Typically, that will be the server-side key. But if the server disappears, they can still withdraw money from their wallet using their own two keys. And if their hard drive dies, they accidentally throw it in the landfill, or a hacker compromises it, then they can use the backup key with the server-side key to retrieve their coins.
“Using the two of three system has a really nice property, which is that there’s always a backup key available,” says Belshe, who raised the issue of P2SH wallets on the Bitcoin Talk forum in November.
However, multisignatures alone are not enough, points out Mike Hearn, one of the core bitcoin developers. “For the web wallet service to do something useful it needs some way to authenticate the user that doesn’t rely just on passwords (otherwise it’s no different to wallet encryption),” he points out.
Bit2Go solves that problem by introducing another feature: out-of-band two factor authentication. When a transaction occurs, it sends a message with a one-time password to the user’s phone so that they can confirm the transaction.
“Now, in order for you to be compromised, they really have to attack three different devices,” Belshe says.
Providers of traditional web wallets like the idea. Brian Armstrong, CEO of Coinbase, which just scored $25m in funding, was positive.
“Coinbase is excited and interested in any solutions like this which would help secure bitcoin wallets,” Armstrong said. “For example, we offer the ability to create paper wallets today (which are offline, private, and a physical storage of bitcoin). Using two of three could be a nice addition to this.”
BitGo also offers several other services, including a person-to-person exchange designed to connect friends who want to buy and sell bitcoins, and a bitcoin gifting service. The latter enables people to give bitcoins to friends by setting up a multisignature BitGo address.
It would be easy to see how it could begin packaging this as an API service to other bitcoin businesses. Belshe is staying tight-lipped, but he’s promising more announcements from the company soon.